2018-02-21 22:17:33 +01:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:totp2f< / title >
< meta name = "generator" content = "DokuWiki" / >
2018-05-15 21:50:12 +02:00
< meta name = "robots" content = "index,follow" / >
2018-02-21 22:17:33 +01:00
< meta name = "keywords" content = "documentation,2.0,totp2f" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "totp2f.html" / >
< link rel = "contents" href = "totp2f.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : t o t p 2 f " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
2018-02-21 22:17:33 +01:00
//else -->
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
2018-02-21 22:17:33 +01:00
<!-- //endif -->
< / head >
< body >
< div class = "dokuwiki export container" >
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#configuration" > Configuration< / a > < / div > < / li >
2018-02-23 12:25:47 +01:00
< li class = "level1" > < div class = "li" > < a href = "#enrollment" > Enrollment< / a > < / div > < / li >
2018-02-21 22:17:33 +01:00
< li class = "level1" > < div class = "li" > < a href = "#assistance" > Assistance< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#developer_corner" > Developer corner< / a > < / div > < / li >
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "totp_2nd_factor_authentication_u2f" > TOTP 2nd Factor Authentication (U2F)< / h1 >
< div class = "level1" >
< p >
< a href = "https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm" class = "urlextern" title = "https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm" rel = "nofollow" > Time based One Time Password< / a > (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. This is currently what < a href = "https://en.wikipedia.org/wiki/Google_Authenticator" class = "urlextern" title = "https://en.wikipedia.org/wiki/Google_Authenticator" rel = "nofollow" > Google Authenticator< / a > or < a href = "https://freeotp.github.io/" class = "urlextern" title = "https://freeotp.github.io/" rel = "nofollow" > FreeOTP< / a > use.
< / p >
< p >
LLNG can propose to users to register this kind of software to increase authentication level.
< / p >
2018-04-23 14:58:36 +02:00
< div class = "notetip" > Note that it' s a second factor, not an authentication module. Users are authenticated both by login form and TOTP.
2018-02-21 22:17:33 +01:00
< / div >
< / div >
<!-- EDIT1 SECTION "TOTP 2nd Factor Authentication (U2F)" [1 - 633] -->
< h2 class = "sectionedit2" id = "configuration" > Configuration< / h2 >
< div class = "level2" >
< p >
In the manager (advanced parameters), you just have to enable it:
< / p >
< ul >
< li class = "level1" > < div class = "li" > TOTP ⇒ Activation: set it to “on”< / div >
< / li >
2018-04-23 14:58:36 +02:00
< li class = "level1" > < div class = "li" > TOTP ⇒ Self registration: set it to “on” if users are authorized to generate themselves a TOTP secret< / div >
2018-02-21 22:17:33 +01:00
< / li >
2018-02-23 12:25:47 +01:00
< li class = "level1" > < div class = "li" > TOTP ⇒ Authentication level: you can overwrite here auth level for TOTP registered users. Leave it blank keeps auth level provided by first authentication module < em > (default: 2 for user/password based modules)< / em > . < strong > It is recommended to set an higher value here if you want to give access to some apps only to users enrolled< / strong > < / div >
2018-02-21 22:17:33 +01:00
< / li >
< li class = "level1" > < div class = "li" > TOTP ⇒ Issuer: default to portal hostname< / div >
< / li >
< li class = "level1" > < div class = "li" > TOTP ⇒ Interval: interval for TOTP algorithm (default: 30)< / div >
< / li >
< li class = "level1" > < div class = "li" > TOTP ⇒ Range: number of additional intervals to test (default: 1)< / div >
< / li >
2018-04-23 14:58:36 +02:00
< li class = "level1" > < div class = "li" > TOTP ⇒ Digits: number of digit by codes (default: 6)< / div >
2018-02-21 22:17:33 +01:00
< / li >
2018-03-20 19:42:50 +01:00
< li class = "level1" > < div class = "li" > TOTP ⇒ Display existing secret: display an already registered secret (default: disabled)< / div >
< / li >
2018-04-23 14:58:36 +02:00
< li class = "level1" > < div class = "li" > TOTP ⇒ Change existing secret: authorize a user to change its previoulsy registered TOTP secret< / div >
2018-03-20 19:42:50 +01:00
< / li >
2018-02-21 22:17:33 +01:00
< / ul >
2018-04-23 14:58:36 +02:00
< div class = "noteimportant" > If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule that < code > $_2fDevices =~ /“type”:\s*“TOTP”/s< / code > is set, else TOTP will be required even if users are not registered. This is automatically done when “activation” is simply set to “on”.
2018-02-21 22:17:33 +01:00
< / div >
< / div >
2018-04-23 14:58:36 +02:00
<!-- EDIT2 SECTION "Configuration" [634 - 1964] -->
2018-02-23 12:25:47 +01:00
< h2 class = "sectionedit3" id = "enrollment" > Enrollment< / h2 >
< div class = "level2" >
< p >
2018-05-15 21:50:12 +02:00
If you' ve enabled self registration, users can register their keys by using < a href = "https://portal/2fregisters" class = "urlextern" title = "https://portal/2fregisters" rel = "nofollow" > https://portal/2fregisters< / a >
2018-02-23 12:25:47 +01:00
< / p >
< / div >
2018-05-15 21:50:12 +02:00
<!-- EDIT3 SECTION "Enrollment" [1965 - 2092] -->
2018-02-23 12:25:47 +01:00
< h2 class = "sectionedit4" id = "assistance" > Assistance< / h2 >
2018-02-21 22:17:33 +01:00
< div class = "level2" >
< p >
2018-04-23 14:58:36 +02:00
If a user lost its key, you may remove it from manager Second Factor module.< em >
< / em >
To enable manager Second Factor Administration Module, set < code > enabledModules< / code > key in your < code > lemonldap-ng.ini< / code > file :< em >
< / em >
2018-02-21 22:17:33 +01:00
< / p >
2018-04-23 14:58:36 +02:00
< pre class = "code ini" > < span class = "re0" > < span class = "br0" > [ < / span > portal< span class = "br0" > ] < / span > < / span >
< span class = "re1" > enabledModules< / span > < span class = "sy0" > =< / span > < span class = "re2" > conf, sessions, notifications, 2ndFA< / span > < / pre >
2018-02-21 22:17:33 +01:00
< / div >
2018-05-15 21:50:12 +02:00
<!-- EDIT4 SECTION "Assistance" [2093 - 2407] -->
2018-02-23 12:25:47 +01:00
< h2 class = "sectionedit5" id = "developer_corner" > Developer corner< / h2 >
2018-02-21 22:17:33 +01:00
< div class = "level2" >
< p >
2018-04-23 14:58:36 +02:00
If you have another TOTP registration interface, you have to set these keys in Second Factor Devices array (JSON) in your user-database. Then map it to the _2fDevices attribute < em > (see < a href = "exportedvars.html" class = "wikilink1" title = "documentation:2.0:exportedvars" > exported variables< / a > )< / em > :
2018-02-21 22:17:33 +01:00
< / p >
2018-04-23 14:58:36 +02:00
< pre class = "code file json" > [{" name" : " MyTOTP" , " type" : " TOTP" , " _secret" : " ########" , " epoch" :" 1524078936" }, ...]< / pre >
2018-02-21 22:17:33 +01:00
< / div >
2018-05-15 21:50:12 +02:00
<!-- EDIT5 SECTION "Developer corner" [2408 - ] --> < / div >
2018-02-21 22:17:33 +01:00
< / body >
< / html >